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REGISTRY MONITORING SYSTEM AND METHOD 



FIELD OF THE INVENTION 



The invention relates to the protection of data stored in a computer, and more particularly 
5 to data which has been imported from an outside source. 



BACKGROUND OF THE INVENTION 



A registry is a hierarchical repository for configuration data. The terms "information" 
and "data" as used herein are each intended to include the broadest definition of the other, and 
each include text, audio and video data. By way of further example, the term "information"can 
10 mean raw data, processed data, or a combination of raw and processed data. The registry may 
keep track of all software stored on the computer, and the relationship between programs. The 
registry may keep track of a plurality of users and hardware configurations. Preferences may 
vary among the plurality of users. 

Each piece of data in the registry has a key-value associated with it. Together the name 
15 and value is referred to as a value entry. A key is analogous to a folder and may itself contain 
one or more folders, which may be referred to as subkeys, and one or more name-value pairs. 
The key may also be referred to as a name or a handle. To access the data and retrieve the stored 
value the correct key is needed. 

Because the registry is a database, and thus, is a data storage location, it may be exploited 
20 for leaking data. "Leaking data" as used herein means transferring data out of a system in which 
it is desired to have the data secured. A process may write information to the registry, for 
example, for temporary storage. Another process may then access the information fi-om the 
registry and write the data to a registry key. Another process may then read the data from the 
registry key and write it to a disk or other storage device, thereby leaking data. Accordingly, for 
25 applications wherein data security is important, there is a need to limit data leakage from the 
registry. 

SUMMARY OF THE INVENTION 



The invention discloses a registry monitoring method particularly applicable to a system 
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in which protected data is transmitted to a recipient computer. An illustrative embodiment of the 
invention comprises requesting a handle for a registry key to a calling process, requesting a 
registry key value for the handle, modifying and deleting keys and values of protected data 
locations, and obtaining security clearance to complete the requests by checking secured process 
Usts and rejection lists. 

Further disclosed are a registry monitoring system, a secured data fransmission system 
including registry monitoring, a machine-readable medium comprising a program to monitor a 
registry, and a computer configured to monitor a registry. 



DESCRIPTION OF THE DRAWINGS 



10 The invention is best understood from the following detailed description when read with 

the accompanying figures. 

FIGURE 1 is a diagram of a portion of a computer system according to an illustrative 
embodiment of the invention. 

FIGURES 2 A-C are flow charts of a registry monitoring system according to an 
1 5 illustrative embodiment of the invention. 



DETAILED DESCRIPTION OF THE INVENTION 



Embodiments of the invention disclosed comprise a method and system for monitoring a 
registry and may reduce or eliminate data leakage from the registry. The invention secures 
processes to deny data transfer to non-visual aspects of the system. This includes, for example, 
20 restricting writing to a file system, transferring data over communication ports, sharing memory 
with other processes and writing data to the registry. 

An exemplary embodiment of the registry monitoring method comprises requesting a 
handle for a registry key to a calling process, requesting a registry key value for the handle, and 
obtaining security clearance to complete the requests by checking secured process lists and 
25 rejection lists. Because the ability to add to the registry is blocked, the ability to delete from the 
registry is also blocked. Therefore, the system includes a method for modifying and deleting 
keys and values with a security check incorporated therein. 

The registry monitoring method of the present invention is best described as it may be 
carried out on a computer implemented secured data transmission system. An illustrative 
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example of such a system comprises two main components, a data packager and a receiver. The 
packager is used to create packages that carry file content to target recipients. The receiver runs 
on a recipient computer to allow access to packaged file content. 

FIGURE 1 depicts an illustrative computer system 100 according to an embodiment of 
5 the invention. A registry entry guard driver 120 is in communication with file system hook 
driver 140. Both drivers exist on the kernel (ring 0) level 130. Applications 160 run on higher 
levels 140. When applications 160 request access to registry 1 10, guard driver 120 in 
conjunction with hook driver 140 monitors and handle the requests. 

A package carries data and provides associated information to a command center which is 
10 a component of an application programming interface, such as a Win32 process. A 

communication driver handles communication between the application programming interface 
and a plurality of device drivers. It provides a single set of device driver I/O control fiinctions 
that are called firom the application programming interface to send information to or retrieve 
information from the device drivers. The communication driver is called by a hook driver to 
1 5 notify the command center that a process is trying to open a packaged file. The device drivers, 
together with the application programming interface, marshal the packaged content into a vauh 
and support access to the content, subject to an originator's permission selection. The command 
center may watch for packages to be executed and prompt users for file names to save a package 
payload. It may notify the file system hook driver that a package payload should be absorbed 
20 into the vault. It may present users with dialog indicating that an application is attempting to 
Open a packaged file. It may also notify device drivers 106 when applications exit. The 
command center may block clipboard access and terminate applications at the request of a 
permissions device driver when permissions expire. Permission information is contained in a 
database and may include, for example, file names, package ID, file system ID and file 
25 permissions. File permissions may include, but are not limited to, length of time or nxmiber of 
times a file may be open, date after which a file may no longer be opened, and printing and 
clipboard permissions. 

File system hook driver 140 obtains a data request initiated from a user who is looking to 
access a packaged or absorbed file. When hook driver 140 receives the requests it performs a 
30 security check on the process and then queries the user. The process is then added to a secured 
process list. The registry monitor is notified that the process is secured so it may block access in 
the fiiture. 

FIGURES 2 A-C depict an illustrative embodiment of the invention. Those skilled in the 
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art will understand that variations on the registry monitoring system that include security checks 
to block access to keys and values are equivalent to the steps described herein, and thus, are 
within the spirit and scope of the invention. FIGURE 2A depicts an illustrative filtering sequence 
for a registry open key call. The call is made to obtain a handle for a registry key to a calling 
5 process. The registry key handle call is made in step 302. In step 304 a process ID and registry 
key are determined. B^ed on this information it is determined in step 306 whether the process is 
secured by checking a secured process list. The secured process list is continually updated as 
processes successfully request secured data from the hook driver and process quit calls are 
initiated. If the process is secured, then in step 308 it is determined whether the registry key is 
10 on a rejection list. If the registry key is on the rejection list, the process is denied access to the 
registry key in step 310 and the call is successfully filtered in step 312. If the process is not on 
the secured list or if the registry key name is not on the rejection list, then in step 3 14 the request 
is completed and the call is successfully filtered in step 312. 

FIGURE 2B is an illustrative flow chart for a registry key value call filtering sequence. 
15 A registry key value for the handle is requested in step 316. The process ID and registry key 
name are determined in step 318. In step 320 the secured process list is again consulted to 
determine whether the process is secured. If the process is secured, it is determined in step 322 
whether the registry key is on a rejection list. If the registry key is on the rejection list, the 
process is denied access to the registry key value in step 324, and the call is successfully filtered 
20 in block 326. If the process is not on the secured list, the request is completed in step 328, and 
1 the call is successfiiUy filtered in block 326. If the registry key is not on the rejection list and the 
process is on the secured process list, the value request is processed in step 330 and it is 
determined whether the value is on the rejection hst in step 332. If the value is not on the 
rejection list the request is allowed to be completed in step 328, and the call is successfiilly 
25 filtered in block 326. If the value is on the rejection list then in step 324 access is denied to the 
registry key value, and the call is successfully filtered in block 326. 

Handles and values may then be deleted or modified. An exemplary flow chart for a 
deletion or modification sequence is depicted in FIGURE 3C. A delete or set-value call is made 
in step 334. The process ID is then determined in step 336. In step 338 it is then determmed 
30 whether the process is secured by checking whether the process is on the secured process Hst. If 
the process is not on the secured process list, the request is completed in step 340 and the call is 
successfiiUy filtered in step 342. If the process is on the secured process list, the request is not 
allowed to be completed in step 344 and the call is successfully filtered in step 342. 
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Further disclosed is a registry monitoring system wherein the registry is monitored 
according to methods described herein. Additionally, an embodiment of the invention includes a 
computer configured to monitor a registry according such methods. The terms "computer" or 
"computer system" as used herein include any device capable of receiving, transmitting, and/or 

5 using information., including, without limitation, a processor, a microprocessor, a personal 
computer, such as a laptop, palm PC, desktop or workstation, a network server, a mainframe, an 
electronic wired or wireless device, such as for example, a telephone, an interactive television or 
electronic box attached to a television, such as for example, a television adapted to be connected 
to the Internet, a cellular telephone, a personal digital assistant, an electronic pager, and a digital 

10 watch In an illustrative example information is transmitted in the form of e-mail. Embodiments 
of the invention still further include a machine-readable meditmi comprising a program to 
monitor a registry according to methods described herein. 

While the invention has been described by illustrative embodiments, additional 
advantages and modifications will occur to those skilled in the art. Therefore, the invention in its 

15 broader aspects is not limited to specific details shown and described herein. Modifications, for 
example, to steps for obtaining security clearance to complete requests, may be made without 
departing from the spirit and scope of the invention. Accordingly, it is intended that tiie 
invention not be limited to the specific illustrative embodiments but be interpreted within the full 
spirit and scope of tiie appended claims and their equivalents. 
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What is claimed is: 

1 , A method of monitoring a registry comprising: 
requesting a handle for a registry key to a caliing process; 
requesting a registry key value for the handle; and 

5 obtaining security clearance to complete the requests. 

2. The method of claim 1 further comprising after requesting a handle for a registry key to a 
calling process: 

determining a process ID and registry key; 

determining whether the process is secured by checking a secured process list; 
10 if the process is secured, determining whether the registry key is on a rejection list; 

if the registry key is on the rejection list, denying the process access to the registry key; 
and 

if the process is not on the secured list or if the registry key name is not on the rejection 
list, completing the request 
15 3. The method of claim 1 further comprising after requesting a registry key value for the 
handle: 

determining a process ID and registry key value; 

determining whether the process is secured by checking the secured process list; 
if the process is secured, determining whether the registry key is on the rejection list; 
20 if the registry key is on the rejection list, denying the process access to the registry key 

value; 

if the process is not on the secured list, completing the request; 

if the registry key is not on the rejection Ust and the process is on the secured process list, 
processing the value request and determining whether the value is on the rejection list; 
25 if the value is not on the rejection list allowing the request to be completed; and 

if tiie value is on the rejection list denying access to the registry key value. 

4. The method of claim 1 fiirther comprising after modifying and deleting handles and 

values: 

determining a process ID; 
30 determining whether the process is secured by checking whether the process is on the 

secured process list; 

if the process is not on the secured process list, completing the request; and 

if the process is on the secured process list, not allowing the request to be completed. 



6 



WOOl/25953 PCT/USOO/26844 
5 . A registry monitoring system wherein the registry is monitored by a method comprising: 
requesting a handle for a registry key to a calling process; 
requesting a registry key value for the handle; and 
obtaining security clearance to complete tiie requests. 
5 6. The registry monitoring system of claim 5 further comprising after requesting a handle 
for a registry key to a calling process: 
detennining a process ID and registry key; 

determining whether the process is secured by checking a secured process list; 
if the process is secured, determining whether the registry key is on a rejection list; 
10 if the registry key is on the rejection Hst, denying the process access to the registry key; 

and 

if the process is not on the secured list or if the registry key name is not on the rejection 
list, completing the request. 
7. The registry monitoring system of claim 5 further comprising after requesting a registry 
1 5 key value for the handle: 

determining a process ID and registry key value; 

determining whether the process is secured by checking the secured process list; 
if the process is secured, detennining whether the registry key is on the rejection list; 
if the registry key is on the rejection Ust, denying the process access to the registry key 
20 value; 

if the process is not on the secured list, completing the request; 

if the registry key is not on the rejection list and the process is on the secured process list, 
processing the value request and determining whether the value is on the rejection list; 
if the value is not on the rejection list allowing the request to be completed; and 
25 if the value is on the rejection list denying access to the registry key value. 

8. The registry monitoring system of claim 5 further comprising after modifying and 
deleting handles and values: 

determining a process ID; 

determining whether the process is secured by checking whether the process is on the 
30 secured process Ust; 

if the process is not on the secured process list, completing the request; and 

if the process is on the secured process list, not allowing the request to be completed. 

9. A computer configured to monitor a registry according to a method comprising: 
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requesting a handle for a registry key to a calling process; 
requesting a registry key value for the handle; and 
obtaining security clearance to complete the requests. 

1 0. The computer of claim 9 further comprising after requesting a handle for a registry key to 
5 a calling process: 

determining a process ID and registry key; 

determining whether the process is secured by checking a secured process list; 
if the process is secured, determining whether the registry key is on a rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key; 
10 and 

if the process is not on the secured list or if the registry key name is not on the rejection 
list, completing the request. 

1 1 . The computer of clarni 9 further comprising after requesting a registry key value for the 
handle: 

15 determining a process ID and registry key value; 

determining whether the process is secured by checking the secured process hst; 
if the process is secured, determining whether the registry key is on the rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key 
value; 

20 if the process is not on the secured list, completing the request; 

if the registry key is not on the rejection hst and the process is on the secured process Ust, 
processing the value request and determining whether the value is on the rejection list; 
if the value is not on the rejection list allowing the request to be completed; and 
if the value is on the rejection list denying access to the registry key value. 

25 12. The computer of claim 9 further comprising after modifying and deleting handles and 
values: 

determining a process ID; 

determining whether the process is secured by checking whether the process is on the 
secured process list; 

30 if the process is not on the secured process hst, completing the request; and 

if the process is on the secured process list, not allowing the request to be completed. 
13. A machine-readable medium comprising a program to monitor a registry according to a 
method comprising: 



8 



wo 01/25953 PCT/USOO/26844 
requesting a Bandle for a registry key to a calling process; 
requesting a registry key value for the handle; and 
obtaining security clearance to complete the requests, 

14. The machine-readable medium of claim 1 3 further comprising after requesting a handle 
for a registry key to a calling process: 

detennining a process ID and registry key; 

determining whether the process is secured by checking a secured process list; 
if the process is secured, detennining whether the registry key is on a rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key; 
and 

if the process is not on the secured list or if the registry key name is not on the rejection 
list, completing the request. 

15, The machine-readable medium of claim 13 further comprising after requesting a registry 
key value for the handle: 

detennining a process ID and registry key value; 

determining whether the process is secured by checking the secured process list; 
if the process is secured, determining whether the registry key is on the rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key 
value; 

if the process is not on the secured list, completing the request; 

if the registry key is not on the rejection list and the process is on the secured process list, 
processing the value request and determining whether the value is on the rejection list; 
if the value is not on the rejection list allowing the request to be completed; and 
if the value is on the rejection list denying access to the registry key value. 

16. The machine-readable medium of claim 13 further comprising after modifying and 
deleting handles and values: 

determining a process ID; 

determining whether the process is secured by checking whether the process is on the 
secured process list; 

if the process is not on the secured process list, completing the request; and 

if the process is on the secured process list, not allowing the request to be completed. 

17. A computer implemented secured data transmission system having a receiver to access 
secured file content provided by a sender, wherein the receiver includes a registry monitoring 
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system wherein the registry is monitored by a method comprising: 
requesting a handle for a registry key to a calling process; 
requesting a registry key value for the handle; and 
obtaining security clearance to complete the requests. 
5 18. The computer implemented secured data transmission system of claim 1 7 further 
comprising after requesting a handle for a registry key to a calling process: 
determining a process ID and registry key; 

determining whether the process is secured by checking a secured process list; 
if the process is secured, determining whether the registry key is on a rejection list; 
10 if the registry key is on the rejection list, denying the process access to the registry key; 

and 

if the process is not on the secured list or if the registry key name is not on the rejection 
list, completing the request. 
19, The computer implemented secured data transmission system of claim 17 further 
15 comprismg after requesting a registry key value for the handle: 
determining a process ID and registry key value; 

determining whether the process is secured by checking the secured process list; 
if the process is secured, determining whether the registry key is on the rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key 
20 value; 

if the process is not on the secured list, completing the request; 

if the registry key is not on the rejection hst and the process is on the secured process lis 

processing the value request and determining whether the value is on the rejection Ust; 

if the value is not on the rejection list allowing the request to be completed; and 
25 if the value is on the rejection Ust denying access to the registry key value. 

20. The computer implemented secured data transmission system of claim 17 further 
comprising after modifying and deleting handles and values: 

determining a process ID; 

determining whether the process is secured by checking whether the process is on the 
30 secured process list; 

if the process is not on the secured process Ust, completing the request; and 

if the process is on the secured process list, not allowing the request to be completed. 



10 



wo 01/25953 



Q9/70128O 

PCT/USOO/26844 




SUBSTITUTE SHEET (RULE 26) 



wo 0iy25!>S3 



89/701280 



PCT/USOO/26844 



2/2 




SUBSTITUTE SHEET (RULE 26) 



Doc. No. 1243-00 
Declaration and Power of Attorney for Patent Application 



As the below named inventor, we hereby declare that: 

Our residence, post office address and citizenship are as stated next to our names, 

We believe we are the original and first inventors of the subject matter which is claimed and for 
which a patent is sought on the invention entitled REGISTRY MONITORING SYSTEM AND 
METHOD the specification of which is filed herewith. 

We hereby state that we have reviewed and understand the contents of the above identified 
specification, including the claims, as amended by any amendment referred to above. 

We acknowledge the duty to disclose information which is material to the examination of this 
appHcation in accordance with Title 37, Code of Federal Regulations, §1. 56(a). 

We hereby claim foreign priority benefits under Title 35, United States Code, §1 19 of any 
foreign application(s) for patent or inventor's certificate listed below and have also identified 
below any foreign application for patent or inventor's certificate having a filing date before the 
application on which priority is claimed: 

Prior Foreign Application(s) Priority Claimed 



(Number) (Country) (Day/Month/Year Filed) Yes No 

We hereby claim the benefit under Title 35, United States Code, §120 of any United States 
application(s) listed below and, insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States application in the manner provided by the 
first paragraph of Title 35, United States Code, §112, we acknowledge the duty to disclose 
material information as defined in Title 37, Code of Federal Regulations, § 1.56(a) which 
occurred between the filing date of the prior application and the national or FCT international 
filing date of the application: 

PCT/USOO/26844 9/29/00 pending 

(Application Serial No.) (Filing Date) (Status) 

(patent, pending, abandoned) 

We hereby appoint the following attorneys and/or agents to prosecute this application and 
to transact all business in the Patent and Trademark Office connected therewith: 



T. Daniel Christenbury 
Guy T. Donatiello 
Paul A. Taufer 
Austin R. Miller 
James A. Drobile 
Gerard J. Weiser 
Robert A. McKinley 
Michael A. Patane 
Joan T. Kluger 
Sharon Fenick 
Stewart M. Wiener 
Armando A. Flores 
Felicity Rowe 



Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 
Reg. 



No. 
No. 
No. 
No. 
No. 
No. 
No. 
No. 
No. 
,No. 
,No. 
,No. 
,No. 



35JQ3 

45^-9 
46,201 
,41,754 
,47^042 




Address all telephone calls to P_aul A. Taufer, Schnader Harrison Segal & Lewis LLP, 
Suite 3600, 1600 Market Street, Philadelphia, PA 19103 (215) 751-2475. 

Address all correspondence to Pad A. Taufer, Schnader Harrison Segal & Le wis LLP, 
Suite_3600Ji^}^L^^^ 

We hereby declare that all statements made herein of my own knowledge are true and that 
all statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the like 
so made are punishable by fine or imprisonment, or both, under §1001 of Title 18 of the 
United States Code and that such wilful false statements may jeopardize the validity of 
the application or any patent issued thereon. ^ 'rY\^ 

Full name of first and joint inventor: George Friedman^ 






Residence: 7 109 Montana Norte, Austin, Texas 78727 
Citizenship: USA 

Mailing Address: same as above — , r~^, 




Full name of second and joint inventor: Robert Phillip Starek 



Inventor signature S U-<^ 




Date 
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Residence: 1 807 W. Slaughter Lane #200-482, Austin, Texdk 78748 
Citizenship: USA ^ 
Mailing Address: same as above ^ ^ 

Full name of third and joint inventor: CarioiAJ^iu£do^ 

Inventor signature /C/J^ ^ - ^''^^-^^ ^ 

Residence: 45 1 7 Avenue F, Austin, Texas 7875 1 / 
Citizenship: USA 
Mailing Address: same as above 
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